How reCaptcha knows that “you are a human and not a robot” just by ticking a box

Google bought the company reCaptcha in September 2009, and has since been evolving its technology to protect web pages of malicious bots by distinguishing them among humans. When we think of the Captchas we all come to mind having to write impossible and meaningless words, but for some time the process has become much simpler.

With the current No CAPTCHA reCAPTCHA technology, you only need to click on a box to identify yourself as a human. The advance was introduced by Google in December 2014, and today we are going to explain how this is possible and what data the algorithm of this system takes into account to know that you are human.

How reCaptcha knows that you are a human and not a robot just by ticking a boxWith the passage of time and to protect the webs of bots that were learning to skip them, the Captchas were getting more and more complicated. So much so that bots sometimes had it easier to say that they were human than the network users themselves. Therefore, Google decided to take a different path and make the identification system much simpler.

To keep your security, Google has not revealed the algorithms it uses to identify us as humans, but we know some of the data they use to do so. In a nutshell, Google gossips what you’ve been doing until you click on the box, and that’s something that has worried part of the community more aware of privacy.

Why do we need Captchas?

If you have a forum or a web with surveys and forms, in addition to human people we expose you to the bots can also register and use them to perform abusive actions. Come on, you can reach your forum and fill it with spam messages or do the same with the comments of your blog.

Captcha are a response to this behavior, an automatism that tries to identify bots so they can not register. Among these systems, one of the most popular is the Google reCaptcha, also known because in addition to keeping the bots at bay uses what we write in it to digitize books, improve maps and solve problems especially difficult for current artificial intelligence.

However, for years this technology has had some key problems. Increasingly complex formulas also prevented people with accessibility or disabilities from registering. In addition, as we mentioned before, bots have evolved to be able to overcome this type of automatic barriers.

It is in this concept that a few years ago Google introduced a new proposal. One that went through making the process much easier for humans, but at the same time much more complicated for bots and automatism. But of course, for this to be possible Google needs to obtain enough data to identify us as humans.


The way it occurred to Google to identify ourselves as human without having to write anything is to review everything we have been doing before clicking on the box “I am not a robot.” As one of the spokesmen of Google told WIRED at the time, reCaptcha examines unwanted clues of each user , such as the IP address or active cookies.

With these two parameters, Google’s algorithm will check our behavior over the Internet, and make sure we ‘re the human that cookies have been followingwhile browsing. Beyond that, the Algorithm will also take into account what we do when we see the box of reCaptcha.

It also records the movement of your mouse from the time it appears until you click.

To do this, the Google system also records the movement of our mouse to see how we behave when reCaptcha appears. The bots usually do it in an automatic way, whereas humans do not usually always go straight to the selectable box, and so the course of our mouse is different. That kind of behavior is what the algorithm will look for to identify us as humans.

In addition to these data, Google also takes into account other parameters that it has decided to keep deliberately hidden. Why? Because if you made public all the information you use to identify us the creators of the bots would know what is taken into account , and could design their automatismos to easily skip security.

As surely more than once you have been able to verify, in case your behavior makes you doubt the system of your human nature, reCaptcha will show you a window in which you will be asked to write a text or click on certain images. Come on, more or less go back to the security system of a lifetime.

Are they a threat to privacy?

How, that Google reviews the pages we have visited, how we have behaved in them and the movement of our own mouse to know if we are human? Although they do it for a positive purpose, the simple fact that they do it gives visibility to the immense amount of data about us that the online companies are able to register without we know it, and this sounds all the alarms of the defenders of Privacy.

A couple of years ago, several researchers claimed to have decrypted the code of the new Google reCaptcha, and accused the company of the search engine to be storing much more information about the behavior of the users they said. They also said that although the security system was not advertised as a Google product, it used cookies to record our movements.

More than knowing if we are a human, what we know is how human we are.

This means that if in theory the only purpose of this system is to identify ourselves as humans, as we have mentioned before, what it is really doing is knowing what specific human we are through the cookie structure of the search engine company. Something that allows you to have more complete profiles of our online behavior thanks to a security tool.

To do this, according to these researchers, the search company was also recording the resolution and screen size of the netizens, as well as the time, their language, the plug-ins they have installed in the browser browser and all JavaScript objects . Also CSS information of the page you are in and various touch or mouse movements that we make.

However, all these doubts about privacy lead us to a classic debate around which many technologies revolve today. To what extent are we willing to sacrifice privacy in exchange for greater security ? Possibly, if Google did not get anything in return would not be so interested in further innovating its technology, which in turn would make our forums and websites had a little more spam than they have.

Leave a Reply

Your email address will not be published. Required fields are marked *